- 15 Feb, 2025
- 0 Comments
- 4 Mins Read
Command Injection: Exploiting System Vulnerabilities
Introduction
Command injection is a critical security vulnerability that allows an attacker to execute arbitrary system commands on a target system. This vulnerability arises when user input is improperly validated and directly passed to system command execution functions. Attackers exploit command injection to gain unauthorized access, manipulate system behavior, or execute malicious payloads.
This blog explores the fundamentals of command injection, how it works, real-world examples, detection techniques, and strategies for mitigation.
Understanding Command Injection
Command injection occurs when an application concatenates user input with system commands without proper validation or sanitization. This allows attackers to inject additional commands that the system executes with the privileges of the vulnerable application.
Commonly Affected Functions
Its vulnerabilities are often found in applications that use functions to execute system commands. Some common functions in various programming languages include:
- PHP:
system(),exec(),shell_exec(),passthru() - Python:
os.system(),subprocess.Popen(),subprocess.call() - Java:
Runtime.getRuntime().exec() - Bash Scripts: Backticks (
`command`),$(command)
Difference Between Command Injection and Code Injection
- Command Injection: Injecting system commands that execute within the operating system’s shell.
- Code Injection: Injecting arbitrary code in the application’s runtime environment (e.g., SQL Injection, Remote Code Execution).
It is particularly dangerous because it allows attackers to interact directly with the operating system.
How it Works?
Basic Example
Consider a simple web application that provides a network diagnostics tool. It allows users to enter an IP address and runs a ping command:
<?php
$ip = $_GET['ip'];
system("ping -c 4 " . $ip);
?>If a user enters 8.8.8.8, the command executed is:
ping -c 4 8.8.8.8However, if an attacker inputs:
8.8.8.8; cat /etc/passwdThe system executes:
ping -c 4 8.8.8.8; cat /etc/passwdThis allows the attacker to read the contents of /etc/passwd, potentially exposing sensitive system data.
Types of Command Injection
- Classic: The attacker injects arbitrary commands using special characters such as
;,&&,|, or$( ). - Blind: The response is not visible to the attacker directly, but system behavior changes can indicate successful exploitation.
- Time-Based: Attackers use commands like
sleep 10to measure response delays and confirm vulnerability presence.
Real-World Examples of Command Injection Attacks
1. Shellshock (CVE-2014-6271)
Shellshock was a critical vulnerability in the Bash shell that allowed attackers to execute arbitrary commands by manipulating environment variables.
Exploit example:
curl -H "User-Agent: () { :; }; echo 'Vulnerable'" http://target.com/cgi-bin/vulnerable_script2. Cisco WebEx Client Vulnerability (CVE-2017-3823)
A command injection vulnerability in Cisco WebEx client allowed attackers to execute arbitrary commands when a user opened a malicious link.
3. ASUS Router Exploit (CVE-2018-8877)
A command injection flaw in ASUS router firmware allowed remote attackers to execute arbitrary system commands through the web interface.
Detection and Exploitation Techniques
1. Manual Testing
Attackers test for command injection by appending system commands to user inputs:
; ls&& whoami| cat /etc/passwd
2. Automated Tools
Penetration testers use tools to detect command injection vulnerabilities:
- Burp Suite: Used for intercepting and modifying web requests.
- OWASP ZAP: Automated scanning for web application vulnerabilities.
- Commix: A specialized tool for command injection attacks.
3. Fuzzing Techniques
Fuzzing involves injecting special characters (;, &&, |, $( ), &, >, <) to analyze system responses and detect vulnerabilities.
Practical Demonstration
Setting Up a Vulnerable Application
To understand command injection practically, set up a simple PHP web application on a Linux machine:
- Install Apache and PHP:
sudo apt update && sudo apt install apache2 php -y - Create a vulnerable script:
sudo nano /var/www/html/vulnerable.php - Add the following code:
<?php $cmd = $_GET['cmd']; system($cmd); ?> - Start Apache:
sudo systemctl restart apache2 - Access it via browser:
http://localhost/vulnerable.php?cmd=ls
Exploiting the Vulnerability
Try executing various system commands:
http://localhost/vulnerable.php?cmd=whoamihttp://localhost/vulnerable.php?cmd=idhttp://localhost/vulnerable.php?cmd=cat /etc/passwd
Mitigation in Practical Scenarios
Fix the vulnerability by sanitizing user input:
<?php
$cmd = escapeshellcmd($_GET['cmd']);
system($cmd);
?>Or, restrict allowed commands:
<?php
$allowed_commands = ['ls', 'whoami', 'id'];
$cmd = $_GET['cmd'];
if (in_array($cmd, $allowed_commands)) {
system($cmd);
} else {
echo "Invalid command";
}
?>Conclusion
Command injection remains one of the most severe web application security vulnerabilities due to its potential to grant attackers full system control. By understanding how it works, testing for vulnerabilities, and implementing strict security measures, developers and security professionals can protect applications from such exploits.
By incorporating input validation, using secure APIs, and following the principle of least privilege, organizations can significantly reduce their risk of command injection attacks.
Key Takeaways:
- Always validate and sanitize user input.
- Avoid direct execution of user-provided data.
- Use secure coding practices and security tools to detect vulnerabilities.
- Regularly update and patch software to mitigate risks.
Don’t miss out! Check out our latest blogs for bug bounty hunters: